diff options
| author | Daniel <mail@danielkesselberg.de> | 2025-01-27 17:28:03 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-01-27 17:28:03 +0100 |
| commit | 4561b4eba189911a57af225e18e2a18ace40eae2 (patch) | |
| tree | 85c60ab0b82b4d87ecd4942eec612800953ab39a | |
| parent | c4161548f9dea5da584858b656eb0e77edcf6587 (diff) | |
| parent | de77415c70812405c814363f1b2364fea1d6f1c9 (diff) | |
| download | nextcloud-server-4561b4eba189911a57af225e18e2a18ace40eae2.tar.gz nextcloud-server-4561b4eba189911a57af225e18e2a18ace40eae2.zip | |
Merge pull request #45364 from nextcloud/fix/ldap-avoid-false-positive-mapping
fix(user_ldap): Do not map groups we do not know if they match filter
| -rw-r--r-- | apps/user_ldap/lib/Access.php | 13 | ||||
| -rw-r--r-- | apps/user_ldap/lib/Group_LDAP.php | 2 |
2 files changed, 11 insertions, 4 deletions
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php index ba62239138d..88d34297bbd 100644 --- a/apps/user_ldap/lib/Access.php +++ b/apps/user_ldap/lib/Access.php @@ -436,10 +436,11 @@ class Access extends LDAPUtility { * * @param string $fdn the dn of the group object * @param string $ldapName optional, the display name of the object + * @param bool $autoMapping Should the group be mapped if not yet mapped * @return string|false with the name to use in Nextcloud, false on DN outside of search DN * @throws \Exception */ - public function dn2groupname($fdn, $ldapName = null) { + public function dn2groupname($fdn, $ldapName = null, bool $autoMapping = true) { //To avoid bypassing the base DN settings under certain circumstances //with the group support, check whether the provided DN matches one of //the given Bases @@ -447,7 +448,7 @@ class Access extends LDAPUtility { return false; } - return $this->dn2ocname($fdn, $ldapName, false); + return $this->dn2ocname($fdn, $ldapName, false, autoMapping:$autoMapping); } /** @@ -477,10 +478,11 @@ class Access extends LDAPUtility { * @param bool $isUser optional, whether it is a user object (otherwise group assumed) * @param bool|null $newlyMapped * @param array|null $record + * @param bool $autoMapping Should the group be mapped if not yet mapped * @return false|string with with the name to use in Nextcloud * @throws \Exception */ - public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped = null, ?array $record = null) { + public function dn2ocname($fdn, $ldapName = null, $isUser = true, &$newlyMapped = null, ?array $record = null, bool $autoMapping = true) { static $intermediates = []; if (isset($intermediates[($isUser ? 'user-' : 'group-') . $fdn])) { return false; // is a known intermediate @@ -499,6 +501,11 @@ class Access extends LDAPUtility { return $ncName; } + if (!$autoMapping) { + /* If no auto mapping, stop there */ + return false; + } + if ($isUser) { $nameAttribute = strtolower($this->connection->ldapUserDisplayName); $filter = $this->connection->ldapUserFilter; diff --git a/apps/user_ldap/lib/Group_LDAP.php b/apps/user_ldap/lib/Group_LDAP.php index 0cd263edec8..85c71fc5fd8 100644 --- a/apps/user_ldap/lib/Group_LDAP.php +++ b/apps/user_ldap/lib/Group_LDAP.php @@ -1178,7 +1178,7 @@ class Group_LDAP extends ABackend implements GroupInterface, IGroupLDAP, IGetDis continue; } $name = $item[$this->access->connection->ldapGroupDisplayName][0] ?? null; - $gid = $this->access->dn2groupname($dn, $name); + $gid = $this->access->dn2groupname($dn, $name, false); if (!$gid) { continue; } |